In just over two years, the Software Bill of Materials, SBOM, has rocketed from an under-the-radar concept to a cybersecurity essential in any organization's control environment. The journey of the SBOM parallels tech's larger narrative, one where rapid adaptation and the pursuit of resilience and transparency confront, head-on, the specter of escalating digital threats.
Change Catalyst: Executive Order 14028
Much of SBOM's coming of age can be traced to one moment - when President Biden signed Executive Order 14028 in May 2021. At the time, we, along with much of the cybersecurity industry, recognized EO 14028 as a pivotal event in the cybersecurity timeline.
"This EO directs Federal agencies to develop new security requirements for software vendors selling into the U.S. government. This has already had a major impact on global software development processes and lifecycles, even for organizations that do not sell into the Federal government," we wrote.
This pivotal legislation soon propelled the concept of SBOMs from the margins of notes in conference room minutes to the spotlight, in both the public, and the private, sector. EO 14028 marked a decisive turn in cybersecurity dialogue, underlining the need for a transparent and manageable software supply chain.
From obscure origins, SBOM emerges as a necessity
In a 2022 survey conducted The Linux Foundation, we can see evidence of SBOM's coming of age in software supply chain security. Indeed, within a year of the passage of EO 14028, 82% of survey participants from 412 organizations around the world were already familiar with SBOM as term. Three of every four respondents were actively engaged in addressing SBOM needs, and nearly half, 47%, were already producing or consuming SBOM.
From the passage of EO 14028 in May 2021 to the execution of the Linux Foundation survey one quarter later, SBOM had already experienced a shift from a theoretical element of idealized control environments to an indispensable, and tangible, tool in benchmark cybersecurity programs that prioritized the security of their software supply chains.
The Road to SBOM Integration begins with software transparency
How does SBOM fit into a software supply chain security program? Whether you commit to SBOM to satisfy regulatory requirements, or to proactively improve the security of your connected product, the first step in SBOM adoption begins with shining a light on the unknown, embracing software transparency.
Software transparency, in its ideal state, means scrutinizing every line of code within a product, whether your organization developed it, or you've externally sourced that code from a third-party provider. This is where SBOM shines.
When you're first starting out in securing a connected product, the single pane of glass transparency provided by Finite State's SBOM solution is indispensable. Ingesting scans from 150+ scanners and feeds, the Next Gen Platform serves as a powerful lens, bringing into focus the often opaque and complex landscape of software components that constitute your product. By meticulously cataloging every element, from proprietary code to open-source dependencies, Finite State's SBOM illuminates the intricacies of your software infrastructure.
This transparency is crucial not only for initial risk assessment but also for ongoing management of the software supply chain. With the Next Gen Platform, organizations can confidently identify and assess the software within their products, ensuring that every layer, every module, and every package is accounted for, scrutinized, and verified—laying a solid foundation for robust device security from the outset.
Assessing and Prioritizing: The SBOM Lifecycle
With a full inventory in hand, you next move onto assessment—scrutinizing each component against known vulnerabilities and weaknesses. This step is a lot like reconciling your car's parts against recall notices and accident reports, ensuring each piece is secure and working as it should. From this assessment emerges a list of priorities—identifying which vulnerabilities require immediate attention and which can be scheduled for later review.
Automation: The Engine Driving SBOM Efficiency
The operational challenges of maintaining, sharing, and updating SBOMs--SBOM Management--have highlighted the indispensable role of automation in software supply chain security. Just as the modern automobile relies on advanced diagnostics to monitor its systems, so too must SBOMs be supported by automated tools that offer continuous, real-time insights into the software supply chain.
Remediation and Response: Ensuring Cybersecurity Roadworthiness
Addressing vulnerabilities is the next critical step, one that must be navigated with strategy and foresight. It involves not just fixing issues but also preparing for potential future threats, ensuring that the product remains secure through its lifecycle.
Improvement: Ongoing Refinement of Cyber Defenses
Lastly, the process of continuous improvement is vital. In cybersecurity, as in automotive technology, innovation never rests. The SBOM must be a living document, one that evolves alongside the products it describes, charting a course of enhancements and fortifications over time.
As we reflect on product security, software supply chain security, and the maturation of the SBOM as a cybersecurity tool, it's evident that this transformation is more than a mere change in practice—it's a fundamental shift in how we perceive and prioritize cybersecurity. The SBOM is now a cornerstone of software supply chain security, a clear reflection of a collective commitment to safeguarding our digital world. In the years to come, we anticipate SBOMs will be as ubiquitous and essential as any standard security measure, a true testament to cybersecurity's dedication to a more secure and transparent digital ecosystem.
